Key Points
- Automate Entra ID Sign-in Auditing: Build a multi-tenant Entra ID sign-in audit pipeline using Microsoft Graph PowerShell to automate log collection, standardize filters, and provide repeatable evidence for compliance and security audits.
- Secure App Registration and Permissions: Use application permissions (not delegated) for unattended, multi-tenant collection, protect credentials, and ensure per-tenant admin consent for secure, scalable data access.
- Define a Consistent Schema and Enrich Sign-in Logs: Defines a normalized schema for sign-in logs and enriches fields (geo, ASN) to improve detection accuracy and align investigative filtering.
- Turn Audit Data into Security Signals: Convert audit data into security signals by applying high-signal filters (legacy auth, MFA failures, risky sessions) and generating automated reports and monthly compliance roll-ups.
- Schedule, Store, and Retain Entra ID Exports: Implement scheduled exports with retention policies, ensuring durable, versioned evidence.
Microsoft Entra audit logs are the fastest way to confirm account takeover attempts, risky sessions, and policy drift. However, this doesn’t really scale in multi-tenant environments. You need a Graph-powered PowerShell pipeline to give you repeatable, scheduled collection, consistent filters, and durable evidence.
A guide for making the most out of your Microsoft Entra ID logs
📌 Prerequisites:
- Microsoft Graph PowerShell should already be installed and updated.
- You should have the ability to do app registration in Microsoft Entra with least-privilege permissions for sign-in reporting (application permissions recommended).
- Consent must be captured per tenant, and you need to have a secure secret/managed identity strategy.
- You need to have a place for central storage for exports.
- You need a reporting workspace for monthly roll-ups and QBR evidence.
Step 1: Choose sources and define the schema
Sign-in logs are important pieces of information. You need to know exactly what data you’re collecting and how you’ll use it when building a multi-tenant Entra sign-in audit pipeline. To do that, you should:
- Prioritize Sign-In logs (user and service principals) and decide if you also need Directory Audit to properly understand what’s going on.
- Define a minimal, consistent column set. This can include the following: timestamp, user UPN/objectId, app displayName/appId, clientAppUsed (modern vs legacy), IP/location, MFA result, status (error codes), and correlationId. You can add or remove data, depending on your specific circumstances.
By the end of it, you should have a clear plan for what data you’re going to collect during the audit. This will make detections easier and help generate reliable reports.
Step 2: Secure the app registration and permissions
To fully leverage your Entra sign-in data, you need to enable unattended, multi-tenant collection safely by securing the app registration and permissions you have activated.
To do that, you should first register an app in Entra for reporting by following these steps:
- Go to the Microsoft Entra admin center and sign in.
- Go to Entra ID > App registrations > New registration.
- Set a name for your reporting app.
- You can specify who can use the app under Supported account types. These are the permissions available:
- Accounts in this organizational directory only
- Accounts in any organizational directory
- Accounts in any organizational directory and personal Microsoft accounts
- Personal Microsoft accounts
- Select Register.
💡Note: Assign only the permissions required for sign-in reporting and audit (application permissions).
Once you’ve set up the reporting app, make sure to store credentials in a secure vault and rotate log access. Record tenant consent status using the reporting app and have the data ready for the next review dates.
By the end of this, you should have a hardened, auditable foundation for automated collection.
Step 3: Connect with Graph PowerShell and baseline queries
First, download the Microsoft Graph PowerShell module. Then, follow these steps to connect Windows PowerShell to your Microsoft Entra ID tenant:
- Set the PowerShell execution policy to remote signed by running this command:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser - Run this command to install the Microsoft Graph PowerShell module:
Install-Module -Name Microsoft.Entra -Repository PSGallery -Scope CurrentUser -Force -AllowClobber - Run
Connect-Entra -Scopes 'User.Read.All'and sign in with an admin account for your tenant when prompted.
Once you’ve done that, you can now:
- Authenticate non-interactively against each tenant using the app registration.
- Run baseline queries for a 24–72 hour window and export to CSV/JSON.
- Validate key fields (client app, MFA result, error codes) and time zone handling.
After connecting to Microsoft Graph, you can now make more useful queries and export the data that you need for your audit.
Step 4: Build high-signal filters and detections
Now that you have your raw logs, it’s time for the next step. You need to turn all that data into actionable security signals. To do that, you can:
- Create saved filters in Microsoft Entra for legacy auth, repeated MFA failures, unfamiliar locations/ASNs, high-risk sign-ins, and unusual client apps.
- Add enrichment (geo, ASN, user department) and per-tenant allowlists to reduce noise.
- Set thresholds and severities that map to playbooks (investigate, notify CSM, raise incident).
Once you’ve done all that, you can detect problems more easily. This reduces the time you need to triage issues and allows your staff to deploy more consistent actions.
Step 5: Schedule, store, and retain evidence
Keep track of your data and the results of your internal audits. This makes it more durable and more ready for external audits.
To do that, you should:
- Schedule hourly or daily pulls with back-fill logic to avoid gaps.
- Write per-tenant exports to structured folders; apply versioning and retention.
- Generate daily and monthly roll-ups with detection counts and trend deltas.
Keeping track of all your data gives you a more reliable history for investigations, compliance, and QBR storytelling.
Step 6: Alert and report at multi-tenant scale
Now that you have your data and reports ready, you can surface risk more quickly and show progress. Show the data to all relevant stakeholders and put them in QBR-ready reports.
To properly integrate detections into your regular workflows:
- Create alert routes for critical detections (e.g., legacy auth spikes, persistent MFA failures).
- Publish monthly sign-in security scorecards per tenant: legacy-auth rate, MFA failure rate, risky sign-ins, geo anomalies, and MTTR.
- Track remediation tasks (disable legacy protocols, tighten CA, user coaching) and confirm improvement in next month’s roll-up.
Created closed-loop operations that reduce risk and demonstrate value. This integrates the audit pipeline smoothly into your operation.
NinjaOne integration ideas when processing Microsoft Entra sign-in logs and other data
- Automation: Run scheduled PowerShell scripts and tag tenants by consent status and collection health.
- Monitoring: Set an alert for job failures, empty exports, or unusual detection spikes.
Quick-Start Guide
To build such a pipeline, you typically need to:
1. Set Up Entra ID: Ensure you have multiple tenants configured in Entra ID.
2. Use Microsoft Graph API: Leverage the Microsoft Graph API to access sign-in logs across tenants.
3. PowerShell Modules: Utilize modules like Microsoft.Graph for PowerShell to interact with Entra ID.
4. Scripting: Write PowerShell scripts to query sign-in logs, filter audit data, and export reports.
Leverage Microsoft Entra audit logs to improve your operations
Having a Microsoft Graph-powered, PowerShell-driven pipeline turns Entra sign-in logs into a powerful operational asset. It gives you repeatable collection, dependable detections, and audit-ready evidence.
Related Topics:
